Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
2520import os from "os";
L2521: import { execFileSync } from "child_process";
L2522:
High
6529const { homedir } = await import("os");
L6530: const { execFileSync: execFileSync4 } = await import("child_process");
L6531: const home = homedir();
L6532: const apiUrl = process.env.DEERDAWN_API_URL ?? "https://api.deerdawn.com";
L6533: let apiKey = process.env.DEERDAWN_API_KEY ?? loadSavedApiKey() ?? null;
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L6529440summary: z4.string().default(""),
L441: metadata: z4.record(z4.unknown()).default({}),
L442: confidence: z4.number().min(0).max(1).default(0.5),
...
L1290: try {
L1291: const fmt = new Intl.DateTimeFormat("en-US", {
L1292: timeZone: tz,
...
L1730: }
L1731: var DEFAULT_MCP_API_URL = "https://api.deerdawn.com";
L1732: function buildMcpServerConfigObject(apiUrl = DEFAULT_MCP_API_URL, apiKey = "") {
...
L2018: } = require_src();
L2019: function getHomeDir() {
L2020: return process.env.DEERDAWN_HOME_DIR || os8.homedir();
High
Host Fingerprint Exfiltration
Source collects local host identity data and sends it to an external endpoint.
dist/index.jsView on unpkg · L440Findings
4 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighHost Fingerprint Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings